Skip to main content
SpringerLink
Log in

Agent-Based File Extraction Using Virtual Machine Introspection

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12556))

Included in the following conference series:

  • 486 Accesses

Abstract

Virtual machine introspection (VMI) can be defined as the external monitoring of virtual machines. In previous work, the importance of this technique for malware analysis and digital forensics has become apparent. However, in these domains the problem occurs that some information is not available in the main memory at all times. Specifically, files contained on non-volatile memory are typically not accessible for VMI applications. In this paper, we present a file extraction architecture that uses a dynamically injected in-guest agent to expose the file system for VMI-based analysis. To enable the execution of this in-guest agent, we also introduce a process injection mechanism for ELF binaries through the main memory using VMI.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This is achieved by waiting in the VMI application until the child’s top-level paging structure differs from the parent’s.

  2. 2.

    Under Linux operating systems, the term anonymous file refers to a file that lives solely in memory. It is not present on any mounted file system and released once it is no longer referenced [12]. The memfd_create system call was introduced in version 3.17. For older Linux versions or BSD variants, it is possible to use shm_open instead.

  3. 3.

    LSTAR is a model-specific register that holds the targeted instruction pointer when executing a system call in long mode.

References

  1. Armbruster, M.: Device Specification for Inter-VM shared memory device (2016). https://fossies.org/linux/qemu/docs/specs/ivshmem-spec.txt. Accessed 27 July 2020

  2. Bahram, S., et al.: DKSM: subverting Virtual Machine Introspection for Fun and Profit. In: 29th IEEE Symposium on Reliable Distributed Systems, pp. 82–91. IEEE (2010)

    Google Scholar 

  3. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11

    Chapter  Google Scholar 

  4. Chudnovsky, D., Chudnovsky, G.: Approximations and complex multiplication according to Ramanujan. In: Pi: A Source Book, pp. 596–622. Springer, New York (2004). https://doi.org/10.1007/978-1-4757-4217-6_63

  5. Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: IEEE Symposium on Security and Privacy, pp. 297–312. IEEE (2011)

    Google Scholar 

  6. Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: Proceedings of the 2014 USENIX Annual Technical Conference, pp. 85–96. USENIX Association, USA (2014)

    Google Scholar 

  7. Garfinkel, T., Rosenblum, M.: A virtual machine introspection based architecture for intrusion detection. In: Proceedings of the Network and Distributed System Security Symposium. The Internet Society (2003)

    Google Scholar 

  8. Gorman, M.: Understanding the Linux Virtual Memory Manager, vol. 352, 1st edn., pp. 33–38. Prentice Hall, Prentice (2004)

    Google Scholar 

  9. Gu, Z., Deng, Z., Xu, D., Jiang, X.: Process implanting: a new active introspection framework for virtualization. In: 2011 IEEE 30th International Symposium on Reliable Distributed Systems, pp. 147–156. IEEE (2011)

    Google Scholar 

  10. Hale, K.C., Xia, L., Dinda, P.A.: Shifting GEARS to enable guest-context virtual services. In: Proceedings of the 9th International Conference on Autonomic Computing, New York, NY, USA, pp. 23–32. Association for Computing Machinery (2012)

    Google Scholar 

  11. Hebbal, Y., Laniepce, S., Menaud, J.: Virtual machine introspection: techniques and applications. In: 10th International Conference on Availability, Reliability and Security, pp. 676–685. IEEE (2015)

    Google Scholar 

  12. Herrmann, D.: memfd\_create - create an anonymous file. In Linux Programmer’s Manual (2020). http://man7.org/linux/man-pages/man2/memfd_create.2.html. Accessed 09 Feb 2020

  13. Hussein, N.: Randomizing structure layout (2017). https://lwn.net/Articles/722293/ (2017). Accessed 01 Jan 2020

  14. Intel Corporation: Intel\(^{\textregistered }\) 64 and IA-32 Architectures Software Developer’s Manual, vol. 3D, pp. C1–C3, September 2016

    Google Scholar 

  15. Jain, B., Baig, M.B., Zhang, D., Porter, D.E., Sion, R.: SoK: introspections on trust and the semantic gap. In: IEEE Symposium on Security and Privacy, pp. 605–620. IEEE (2014)

    Google Scholar 

  16. Jones, R.: libguestfs - tools for accessing and modifying virtual machine disk images (2009). http://libguestfs.org/. Accessed 27 July 2020

  17. Maartmann-Moe, C., Thorkildsen, S.E., Årnes, A.: The persistence of memory: forensic identification and extraction of cryptographic keys. In: Digital Investigation, vol. 6, pp. S132–S140. Elsevier (2009)

    Google Scholar 

  18. McNamara, R.: Linux based inter-process code injection without ptrace(2) (2017). https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html. Accessed 01 Jan 2020

  19. Mohebbi, H., Kashefi, O., Sharifi, M.: ZIVM: a zero-copy inter-VM communication mechanism for cloud computing. In: Computer and Information Science, vol. 4, pp. 18–27. Canadian Center of Science and Education (2011)

    Google Scholar 

  20. Molnár, I.: This is the CFS scheduler (2007). http://people.redhat.com/mingo/cfs-scheduler/sched-design-CFS.txt. Accessed 19 Jan 2020

  21. Morbitzer, M., Huber, M., Horsch, J.: Extracting secrets from encrypted virtual machines. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, CODASPY 2019, pp. 221–230. Association for Computing Machinery (2019)

    Google Scholar 

  22. Morbitzer, M., Huber, M., Horsch, J., Wessel, S.: SEVered: subverting AMD’s virtual machine encryption. In: Proceedings of the 11th European Workshop on Systems Security, EuroSec@EuroSys, pp. 1–6. Association for Computing Machinery (2018)

    Google Scholar 

  23. Payne, B.D.: Simplifying virtual machine introspection using libvmi. Technical report, Sandia National Laboratories (2012)

    Google Scholar 

  24. Pfoh, J., Schneider, C.A., Eckert, C.: A formal model for virtual machine introspection. In: VMSec 2009. Association for Computing Machinery (2009)

    Google Scholar 

  25. Rekall: Rekall memory forensics framework (2012). https://github.com/google/rekall (2012). Accessed 07 Oct 2019

  26. Tanenbaum, A.S.: Modern Operating Systems, pp. 74–75. Prentice Hall, Prentice (2004)

    Google Scholar 

  27. Taubmann, B., Rakotondravony, N., Reiser, H.P.: Cloudphylactor: harnessing mandatory access control for virtual machine introspection in cloud data centers. In: IEEE Trustcom/BigDataSE/ISPA, pp. 957–964. IEEE (2016)

    Google Scholar 

  28. Taubmann, B., Rakotondravony, N., Reiser, H.P.: Libvmtrace: Tracing virtual machines. Winter School on Operating Systems (WSOS) (2016). WiP abstract

    Google Scholar 

  29. Tuzel, T., Bridgman, M., Zepf, J., Lengyel, T.K., Temkin, K.J.: Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. In: Digital Investigation, vol. 26, pp. S98–S106. Elsevier (2018)

    Google Scholar 

  30. Volatility Foundation: Volatility memory forensics framework (2009). https://github.com/volatilityfoundation/volatility. Accessed 07 Oct 2019

Download references

Acknowledgments

This work has been funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – 361891819 (ARADIA).

Author information

Authors and Affiliations

  1. University of Passau, Innstr. 43, 94032, Passau, Germany

    Thomas Dangl, Benjamin Taubmann & Hans P. Reiser

Authors
  1. Thomas Dangl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Taubmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hans P. Reiser
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thomas Dangl .

Editor information

Editors and Affiliations

  1. Linköping University, Linköping, Sweden

    Mikael Asplund

  2. Linköping University, Linköping, Sweden

    Simin Nadjm-Tehrani

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dangl, T., Taubmann, B., Reiser, H.P. (2021). Agent-Based File Extraction Using Virtual Machine Introspection. In: Asplund, M., Nadjm-Tehrani, S. (eds) Secure IT Systems. NordSec 2020. Lecture Notes in Computer Science(), vol 12556. Springer, Cham. https://doi.org/10.1007/978-3-030-70852-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-70852-8_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-70851-1

  • Online ISBN: 978-3-030-70852-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation